CN102395129A

CN102395129A - Framework of media-independent pre-authentication support for pana

Info

Publication number: CN102395129A
Application number: CN2011103346366A
Authority: CN
Inventors: A·杜塔; V·法雅尔多; 大场义洋; 谷内谦一
Original assignee: Toshiba Corp; Telcordia Technologies Inc
Current assignee: Toshiba Corp; Iconectiv LLC
Priority date: 2005-07-14
Filing date: 2006-07-13
Publication date: 2012-03-28
Also published as: JP2008517516A; CN101288273A; JP5232887B2; JP2011172240A; CN102065507A; JP2011172241A; JP4745344B2; JP5641986B2

Abstract

The preferred embodiments herein relate to methods and systems for controlling a handoff decision related to switch back of a mobile node between a first network and a second network in a media independent pre-authentication framework and/or to methods and systems for mitigating effects of undesired switch back of a mobile node between a first network and a second network in a media independent pre-authentication framework.

Description

Be independent of the improved framework of pre-authentication of medium

The division explanation

The application is that application number is dividing an application of the international application of PCT/JP2006/314312 China's application 20068000615.8 of getting into the China national stage, requires to enjoy the relevant rights and interests of original bill.

Technical field

The application relates in particular to the method for pre-authentication, for example, is used to be independent of the method etc. of the pre-authentication of medium.

Background technology

The computer network that has a lot of types, wherein the internet is the most famous.The internet is mondial computer network.Today, the internet is public and self-holding network, is being used by millions of users.The internet has used a group communication protocol that is called TCP/IP (that is transmission control protocol/Internet Protocol) to connect main frame.The internet has the communications infrastructure that is called internet backbone.Mainly control the visit to internet backbone by ISP (ISP), said ISP resells access right to company or individual.

IP (Internet Protocol) is such agreement, through this agreement, can be on network from an equipment (for example, phone, PDA [personal digital assistant], computer etc.) to another equipment sending data.The IP of a plurality of versions is arranged now, comprise, for example, IPv4, IPv6 etc.Each main process equipment on the network has at least one IP address, as himself unique identifier.IP is a kind of connectionless protocol.In the connection of communication period between end points is discontinuous.When the user sent or receive data or message, said data or message were divided into the component that is called packet.Each packet is taken as independently data cell.

For with the transmission standardization between the point on internet or the similar network, set up OSI (open system interconnection) model.Osi model is divided into seven layers with the communication process between 2 on the network, every layer of function collection that has added himself.Each device processes message, thus there is the downstream that passes through at each layer of endpoint, and through the upstream at the said layer that receives end points.The program and/or the normally combination of device operating system, application software, TCP/IP and/or other transport and network protocol and other software and hardware of hardware of said seven layer functions are provided.

Usually, send out or when the user transmits from the user, use top four layers, and, use beneath three layers when message during through equipment (for example, the IP main process equipment) when message.The IP main frame is any equipment that can send and receive the IP packet on the network, such as, server, router or work station.The destination is that the message of some other main frames is not upwards passed through the upper strata, but is forwarded to other main frame.Below list each layer of osi model.The 7th layer (that is, application layer), therein, for example, identification communication partner, identification service quality, consideration user rs authentication and privacy, the phraseological restrictive condition of recognition data, etc.The 6th layer (that is, presentation layer) therein, for example, converts the input and output data into another kind etc. from a kind of presentation format.The 5th layer (that is, session layer) therein, for example, set up, adjustment and stop session, and between using, exchange and talk with, etc.The 4th layer (that is, transport layer), therein, for example, management is control and error checking end to end, etc.The 3rd layer (that is, network layer) therein, for example, handled route and forwarding, etc.The 2nd layer (that is, data link layer) therein, for example, for physical level provides synchronously, carries out vbr buffer and transmission control knowledge and management is provided, etc.Institute of Electrical and Electric Engineers (IEEE) is divided into two sublayers further once more with said data link layer; MAC (medium access control) layer; It is used to control the transfer of data with physical layer; And LLC (logic link control) layer, it is connected with network layer through interface, and interpreted command and carry out the mistake recovery.The 1st layer (that is, physical layer) therein, for example, transmits bit stream at physical level through network.IEEE is divided into PLCP (Physical layer convergence protocol) sublayer and PMD (physical medium is relevant) sublayer once more with physical layer.

Wireless network:

Wireless network can combine various types of mobile devices, such as, honeycomb and radio telephone, PC (personal computer), laptop computer, wearable computers, cordless telephone, beeper, headphone, printer, PDA etc.For example, mobile device can comprise the digital system in order to the fast wireless transmission of guaranteeing voice and/or data.Typical mobile device can comprise in the following assembly some or all: transceiver (that is, transmitter and receiver comprise, for example, have integrated transmitter, receiver and, if necessary, the single-chip transceiver of other function); Antenna; Processor; The one or more audio converters loud speaker or the microphone of audio communication device (for example, as); The electromagnetic data memory (for example, the ROM in the equipment that data processing is provided, RAM, digital data memory, etc.); Internal memory; Flash memory; Full chipset or integrated circuit; Interface (for example, USB, CODEC, UART, PCM, etc.); And/or other similar device.

Can WLAN (WLAN) be used for radio communication, therein, the wireless user can be connected to Local Area Network through wireless connections.Radio communication can comprise, for example, and via communication such as the electromagnetic wave propagation of light, infrared, radio frequency, microwave.Currently exist various wlan standards, for example, bluetooth, IEEE 802.11 and home rf (homeRF).

As for example, use blue tooth products be provided between mobile computer, mobile phone, portable handheld device, PDA(Personal Digital Assistant) and other mobile device link and to the connectivity of internet.Bluetooth is a kind of calculating and telecommunications industry standard, its specified in more detail mobile device how can utilize short-distance radio ease of connection ground to interconnect and be connected with non-mobile device.Bluetooth generates digital wireless protocols, to solve because terminal use's problem that the dispersion of various mobile devices causes, as, need maintenance data sync and equipment compatible, can seamlessly work together thereby make from the equipment of different manufacturers.Can name bluetooth equipment according to name notion commonly used.For example, bluetooth equipment can have the title that bluetooth device name (BDN) perhaps is associated with unique bluetooth device address (BDA).Bluetooth equipment also can be participated in Internet Protocol (IP) network.If bluetooth equipment is worked, can IP address and IP (network) title be provided for it on IP network.Therefore, the bluetooth equipment that is configured to participate in IP network can comprise, for example, and BDN, BDA, IP address and IP title.Term " IP title " refers to the title corresponding to the IP address of interface.

Ieee standard IEEE 802.11 standards be used for the technology of WLAN and equipment.Utilize 802.11, can utilize and support the single base station of several equipment to realize wireless network.In some instances, can be equipped with radio hardware in advance for equipment, perhaps the user can install the discrete hardware such as card that possibly comprise antenna.As giving an example, the equipment that in 802.11, uses generally includes three noticeable elements, and whether said equipment is access point (AP), mobile radio station (STA), bridge, pcmcia card or another kind of equipment: radio transceiver; Antenna; And MAC (medium access control) layer that is used for data between nodes bag stream on the Control Network.

In addition, in some wireless networks, can use many interface equipments (MID).MID can comprise two independently network interfaces, such as blue tooth interface and 802.11 interfaces, thereby makes MID can participate in the network of two separation, and carries out interface with bluetooth equipment and be connected.MID can have the IP address and with general purpose I P (network) title of said IP address.

Wireless Communication Equipment can include, but not limited to bluetooth equipment, many interface equipments (MID); 802.11x equipment (IEEE 802.11 equipment, this comprises, for example, 802.11a, 802.11b and 802.11g equipment); HomeRF (home rf) equipment, Wi-Fi (Wireless Fidelity) equipment, GPRS (GPRS) equipment, 3G mobile device; 2.5G mobile device, GSM (Global Systems for Mobile communications) equipment, EDGE (GSM evolution strengthens data) equipment; TDMA type (time division multiplexing) equipment, perhaps CDMA type (code division multiplexing) equipment comprises CDMA 2000.Each network equipment can comprise the address of change type, and this includes but not limited to the IP address, bluetooth device address, bluetooth common name, bluetooth IP address, bluetooth IP adopted name, 802.11IP address, 802.11IP adopted name, perhaps IEEE MAC Address.

Wireless network also relates to method and the agreement of in moving IP (Internet Protocol) system, pcs system and other mobile network system, finding.About moving IP, this relates to the standard communication protocol of being created by internet engineering task group (IETF).Utilize and move IP, mobile device user can move between network, keeps its assigned IP address once simultaneously.Normative reference draft (RFC) 3344.Attention: RFC is the official document of internet engineering task group (IETF).When outside internal network, connecting, mobile IP has strengthened Internet Protocol (IP), and has increased means from internet traffic to mobile device that transmit.Move IP and be equipped with Care-of Address (CoA) in the current location of network and its subnet for each mobile node has distributed the home address on portion's network within it and has been used for identifying said society.When equipment moved to heterogeneous networks, it received new Care-of Address.Mobile agent on the internal network can be associated each home address with its Care-of Address.Utilize for example ICMP (ICMP), mobile node can send Binding Update to home agent at every turn when changing its Care-of Address.

In basic I P route (for example, external moving IP), routing mechanism depends on such hypothesis; Promptly; Each network node always has for for example, the constant attachment point of internet (attachment point), and each IP addresses of nodes sign network link that it adhered to.In this file, term " node " comprises tie point, and it can comprise, for example, is used for the reallocation point or the end points of transfer of data, and it can be discerned, handle and/or communicate by letter to other node forwarding.For example, Internet Router can be watched, and for example, the IP address prefix perhaps similarly is used for the sign of the network of marking equipment.Then, at network layer, router can be watched, and for example, is used to identify one group of byte of particular subnet.Then, at hierarchy of subnet, router can be watched, and for example, is used to identify one group of byte of particular device.Utilize common mobile IP communication, if the user with mobile device from, for example, the internet breaks off, and attempts it is connected to new subnet again, then said equipment must be reconfigured new IP address, suitable netmask and default router.Otherwise Routing Protocol can not suitably send packet.

Fig. 4 has described some illustrative structure assemblies that can in some illustratives that comprise WAP and non-limiting enforcement, adopt, and wherein client device and said WAP communicate.About this, Fig. 4 shows an illustrative cable network 20, and it is connected to and is labeled as 21 wireless lan (wlan) usually.WLAN 21 comprises access point (AP) 22 and some subscriber stations 23,24.For example, cable network 20 can comprise internet or business data processing network.For example, access point 22 can be a wireless router, and

subscriber station

23,24 can be, for example, and portable computer, personal desktop computer, PDA, portable ip voice phone and/or miscellaneous equipment.Access point 22 has network interface 25, and it is connected to cable network 21, and the wireless transceiver that communicates with subscriber station 23,24.For example, wireless transceiver 26 can comprise antenna 27, is used for carrying out communicating by letter of radio or microwave frequency with subscriber station 23,24.Access point 22 also has processor 28, program storage 29 and random access storage device 31.Subscriber station 23 has wireless transceiver 35, and it comprises and is used for the antenna 36 that communicates with access point station 22.In similar fashion, subscriber station 24 has wireless transceiver 38 and antenna 39, is used for communicating with access point 22.

In some preferred embodiments of describing herein, descriptive system and method, thus set up the high level and the low layer linguistic context of different medium on one's own initiative.At this, medium comprises, for example, the addressable network of mobile device (for example, wired, through permission wireless, wireless without approval, etc.)。Referring to, for example, the medium of discussing among the IEEE 802 (comprising IEEE 802.21).Medium can comprise, for example, WLAN (for example, IEEE 802.11), IEEE 802.16, and IEEE 802.20, bluetooth, etc.Some illustrative example comprise: the 1) exchange of the mobile device from cellular network to wireless or WIFI network; For example; Mobile device with cellular interface and wave point attempt through obtain on the mobile network initial information (for example; Key, etc.) carry out the WIFI visit, rather than set up wave point simultaneously; 2) have wireless or WIFI when connecting when mobile device is current, when being in WLAN potentially during situation such as quick closedown, as for example, mobile device can be on one's own initiative carries out pre-authentication (that is, if desired, can quick exchange) via cellular network.Under some illustrative situation, the mobile node with single IEEE 802.xx interface can be roamed in a plurality of subnets and a plurality of management domain.Though keep a plurality of interfaces always to open is a kind of option, and mobile node possibly hope to make untapped interface stop using (for example, in order to save electric power, etc.) in some cases.In addition, MPA especially can provide safety seamless mobility optimization, and it is used for switching between switching, technology between switching, territory between subnet, etc., and the use of many interfaces.

PANA：

For ease of reference, will be from P.Jayaraman, " PANA Framework, " Internet-draft, draft-ietf-pana-framework-01.txt, work in progress, the information that the PANA of July2004 is relevant is quoted at this.About this, PANA is that link layer can not be known the network insertion indentification protocol, and it runs between the server of the node of hoping to be linked into network and network side.PANA defined new EAP [referring to B.Aboba, et al, " Extensible Authentication Protocol (EAP), " RFC 3748; June 2004] Aboba, B., Blunk, L.; Vollbrecht, J., Carlson; J.and H.Levkowetz, Extensible Authentication Protocol (EAP), June 2004. and the low layer that between protocol end, uses IP.

At the Protocol of Yegin.A and Y.Ohba for Carrying Authentication for Network Access (PANA) Requirements; Draft-ietf-pana-requirements-08 (work in progress); Among the June 2004, the motivation and the demand that define this agreement have been described.Forsberg, D., Ohba, Y., Patil; B., Tschofenig, Protocol for Carrying Authentication for Network Access (Forsberg, D., the Ohba of H. and A.Yegin; Y., Patil, B., Tschofenig; H. and A.Yegin, Protocol for Carrying Authentication for Network Access (PANA), draft-ietf-pana-pana-04 (work in progress), May 2004) in write down the detailed content of agreement.Parthasarathy; M., PANA Enabling IPsec Based Access Control, draft-ietf-pana-ipsec-03 (work in progress); May 2004, described the conduct interviews use of IPsec of control of the checking of following based on PANA.IPsec can be used to the access control of every packet, but it is not to realize this functional unique channel.Other method comprises and depends on physical protection and link layer encryption.The PANA server separated with the entity of carrying out access control be considered to a kind of optional implementation method.SNMP [referring to Mghazli, Y., Ohba; Y.and J.Bournelle; SNMP Usage for PAA-2-EP Interface, draft-ietf-pana-snmp-00 (work in progress), April2004] be chosen as the agreement of between the node that separates, carrying relevant information.

PANA is designed to various types of enforcements support is provided.Based on the selection of the placement of the availability of low layer safety, PANA entity, client IP configuration and verification method etc., access network can be different.

Irrelevant with the fail safe of low layer, PANA can be used to any access network.For example, can carry out physical protection, perhaps, after successfully carrying out the customer network checking, protect through cipher mechanism to said network.

PANA client, PANA checking agency, authentication server and execution point are the functional entitys in this design.Can with PANA checking agency and carry out point be placed on the various elements in the said access network (such as, access point, couple in router, private host).

IP address configuration mechanism also changes thereupon.Also can select the configuration automatically from static configuration, DHCP, stateless address.If client configuration is used to guarantee the IPsec passage of every security data packet property, the IP address that then disposes this channel interior also becomes relevant, because the extra selection such as IKE is arranged.

The PANA agreement is designed to help the authentication vs. authorization of the client in access network.PANA is a kind of EAP [Aboba, B., Blunk, L., Vollbrecht; J., Carlson, J., and H.Levkowetz, Extensible Authentication Protocol (EAP); June 2004], referring to Aboba, B., Blunk, L.; Vollbrecht, J., Carlson, J., and H.Levkowetz; Extensible Authentication Protocol (EAP), RFC 3748, and June 2004, and the low layer that carries the eap authentication method is encapsulated in the client host and the EAP between the agency in the access network.Though PANA allows the checking between two entities to handle, it only is the part in whole AAA and the access control framework.Utilize AAA and the access control framework of PANA to comprise four functional entitys, see that following discussion and Fig. 1 (A) are to shown in 1 (C).

First functional entity is PANA client (PaC), and it is the client realization of PANA agreement.This entity is positioned on the end main frame of request access to netwoks.Said end main frame comprises, for example, and kneetop computer, PDA, mobile phone, Desktop PC and/or be connected to the similar devices of network via wired or wireless interface.PaC is responsible for asking access to netwoks and utilizes the PANA agreement to verify processing.

Second functional entity is PANA checking agency (PAA), and it is the server realization of PANA agreement.PAA is responsible for carrying out interface with PaC and is connected, to network access service they are carried out authentication vs. authorization.PAA inquires authentication server, with qualification and the right of authentication PaC.If authentication server is positioned at the main frame identical with PAA, application programming interfaces (API) carry out enough that this is mutual.When they are separated (common situation in the public access network), agreement be used with between two LDAP the operation [referring to Hodges, J.and R.Morgan, Lightweight Directory Access Protocol (v3): Technical Specification, September 2002, Hodges; J.and R.Morgan, Lightweight Directory Access Protocol (v3): Technical Specification, RFC 3377, September 2002], and similar RADIUS [referring to Rigney, C.; Willens, S., Rubens, A., and W.Simpson, Remote Authentication Dial In User Service (RADIUS); June 2000.Rigney, C., Willens, S., Rubens; A., and W.Simpson, Remote Authentication Dial In User Service (RADIUS), RFC 2865, June 2000] and Diameter [referring to Calhoun; P., Loughney, J., Guttman, E.; Zorn, G.and J.Arkko, Diameter Base Protocol, September 2003, Calhoun; P., Loughney, J., Guttman, E.; Zorn, G.and J.Arkko, Diameter Base Protocol, RFC 3588, September 2003] aaa protocol generally be used for this purpose.

Said PAA also is responsible for upgrading and depends on the access control state (that is filter) according to the generation and the deletion of proofing state.The execution point of said PAA in network sends the state that has upgraded.If PAA is positioned at identical main frame with EP, API enough carries out this communication.Otherwise agreement is used to deliver the client terminal attribute of this mandate to EP from PAA.Though do not forbid other agreement, advised at present SNMP [referring to Mghazli, Y.; Ohba, Y.and J.Bournelle, SNMP Usage for PAA-2-EP Interface; Draft-ietf-pana-snmp-00 (work in progress), April2004] be used for this task.

PAA is arranged on the node that local area network (LAN) is commonly referred to network access server (NAS).PAA can be positioned on the node of any IP of launching on the IP subnet identical with PaC.For example, on the BAS in the DSL network (BAS Broadband Access Server), or on the PDSN in the 3GPP2 network.

The 3rd functional entity is authentication server (AS), and it is realized as server, is responsible for the qualification of the PaC of authentication request network access service.Said AS is that PaC receives the request since PAA, and utilizes authentication result and certificate parameter (for example, the bandwidth of permission, IP configuration etc.) to respond.Said AS can be positioned on the main frame identical with PAA, is positioned on the private host of said access network, perhaps is positioned on the internet on other local central server.

The 4th functional entity is to carry out point (EP), and it realizes that as access control the client of being responsible for allowing to have authorized conducts interviews, and prevents other people's visit simultaneously.EP learns the attribute of authorized client from PAA.EP utilizes non-password or password filter optionally to allow or packet discard.These filters are applied to link layer or IP layer.When accessing to your password access control, need be between PaC and EP security of operation associated protocol (secure association protocol).Set up needed security association with after launching integrity protection, data origin authentication, playback protection (replay protection) and optional Confidentiality protection in said security association agreement; Use link or network layer protection (for example, TKIP, IPsec ESP).EP can be positioned on the local area network (LAN) strategicly, to minimize the visit of unauthorized client to this network.For example, EP can be arranged on the switch of the client that is directly connected to cable network.Like this, EP can abandon this undelegated packet before the unauthorized data bag arrives other client host or exceeds beyond the local area network (LAN).

Depend on the enforcement scene, can some entities be placed a place.For example, PAA and EP can be on the same node point in the DSL network (BAS).In this case, it is just enough between PAA and EP, to have a simple API.In small enterprise used, PAA can be positioned on the identical node (for example, couple in router) with AS, and it has eliminated the needs that move agreement between the two said.The decision of whether placing these entities jointly, and their accurate positions in network topology structure all belong to the configuration decision.

Only, operation need use the IKE or 4 that is used for security association when lacking any low layer safety before the PANA to Handshake Protocol.Physical protection network (physically secured network) (such as, DSL) or the network that before PANA operation, has carried out cryptoguard (for example, cdma2000) do not need extra security association and every packet to encrypt.These networks can be tied to available low layer safe lane with the PANA authentication vs. authorization.

EP on the access network allows the conventional data flow from any mandate PaC, yet, for undelegated PaC, its only allow limited type flow (as, PANA, DHCP, router are found).This has guaranteed that new additional client has the access services of the minimum of participating in PANA, and can obtain the not mandate of limited service.

PaC need move PANA configuration of IP address before.After the PANA of success checking, depend on application scenarios, PaC need reconfigure its IP address, perhaps disposes other IP address.A part that can be used as the operation of security association agreement is carried out said other address configuration.

Initial undelegated PaC begins the PANA checking through finding the PAA on the access network, is the EAP exchange on the PANA afterwards.PAA carries out with AS in this process alternately.After the authentication vs. authorization result who receives from AS, PAA informs the result of relevant its network access request to PaC.

If PaC is authorized to visit said network, PAA also utilizes SNMP to send specific PaC attribute (for example, IP address, encryption key, etc.) to EP.EP utilizes this information to change its filter, so that can pass through from PaC with to the data traffic that PaC sends.

After the PANA checking, need launch under the situation of cryptographic acess control security of operation associated protocol between PaC and EP.As the result of the PANA of success exchange, PaC should have the input parameter to this processing.Similarly, EP should obtain them via SNMP from PAA.The security association exchange produces needed security association between PaC and EP, to launch the code data traffic protection.Extra every overhead data packet is introduced in every cipher data packet data traffic protection, but this expense exists only between PaC and the EP, can not influence the communication outside the EP.Given this, it is extremely important EP to be placed on the edge of said network as much as possible.

At last, data traffic can begin to flow to recently the PaC that authorizes and from its inflow.

To introduction of the present invention

Comprise the wireless technology of honeycomb and WLAN owing to be widely used, support terminal switches between dissimilar access networks, such as, from the WLAN to CDMA, perhaps arriving GPRS, this is considered to a significantly challenge.On the other hand, support terminal switches between the access network of same type and still has more challenge, especially when IP subnet or management domain are crossed in said switching.For solving above-mentioned challenge, the very important point is, provides for the unknown terminal mobility of link-layer technologies with optimization and safe mode, and need not to introduce irrational complexity.In this file, we have discussed terminal mobility, and it provides low latent time and low-loss seamless switching.Seamless switching is characterised in that the performance requirement that next part is described, and performance requirement below is described.

The essential part of terminal mobility is attended by mobility management protocol, and said mobility management protocol is kept the identifier of portable terminal and the binding between the finger URL, and wherein, said binding is called as mobility binding.When motion of mobile terminals, the finger URL of mobile node dynamically changes.The motion that causes said finger URL to change not only can be physically, can also be logically.At the remaining part of presents, term " mobility management protocol " refers to the mobility management protocol in network layer or more high-rise work.

Have several kinds of mobility management protocols at different layers.Moving IP [RFC 3344] and mobile IP v 6 [RFC 3775] is the mobility management protocol in network layer work.In IETF, carrying out several work, with more high-rise definition mobility management protocol in network layer.For example, MOBIKE (IKEv2 mobility and many caves (Multihoming)) [I-D.ietf-mobike-design] is the expansion to IKEv2, and it provides the ability of the IP address change of handling the IKEv2 end points.HIP (main frame identification agreement) [I-D.ietf-hip-base] has defined new protocol layer between network layer and transport layer, for network layer and transport layer transparent way terminal mobility to be provided.And SIP-Mobility is the expansion to SIP, to keep the mobility binding of sip user agent [SIPMM].

Although mobility management protocol keeps mobility binding, only use them to be not enough to provide seamless switching with their current form.The significant data packet loss of the extra optimization mechanism that need in the visited network of said portable terminal, work to prevent when upgrading said mobility binding, to send, thus realize seamless switching.Such mechanism is called as the mobility optimization mechanism.For example; Through the information that allows contiguous couple in router to communicate and carry relevant portable terminal, be respectively mobile IPv 4 and mobile v6 definition mobility optimization mechanism [I-D.ietf-mobileip-lowlatency-handoffs-v4] and [I-D.ietf-mipshop-fast-mipv6].

Some agreements are taken as mobility optimization mechanism " assistant ".CARD (candidate access router discovery mechanism) agreement [I-D.ietf-seamoby-card-protocol] is designed to find contiguous couple in router.CTP (context transfer protocol) [I-D.ietf-seamoby-ctp] is designed to delivery and the service associated state or the context that provide for said portable terminal between couple in router.

There are several problems in the present existing mobility optimization mechanism.The first, existing mobility optimization mechanism and specific mobility management protocol are closely related.For example, can not be used for the mobility optimization mechanism of mobile IPv 4 or mobile IP v 6 design for MOBIKE.Strong what hope is single unified mobility optimization mechanism, its can with any mobility management protocol co-operation.The second, if do not suppose the pre-established security association between the management domain, then existing mobility optimization mechanism can not easily be supported in the switching between the management domain.Only be based on the trusting relationship between mobile node and each management domain, the mobility optimization mechanism should be crossed over management domain with secured fashion and carried out work.The 3rd, the mobility optimization mechanism not only need be supported a plurality of many interface terminations that connect simultaneously through a plurality of interfaces to occur, also need support single interface termination.

Presents has been described the framework of the pre-authentication (MPA) that is independent of medium, a kind of new handover optimization mechanism, and it has the possibility that solves all the problems referred to above.MPA moves auxiliary safe handover optimization scheme, and it can be operated in any link layer, and can work with any mobility management protocol, and these agreements comprise mobile IPv 4, mobile IP v 6, MOBIKE, HIP, SIP mobility etc.In MPA; The notion of IEEE 802.11i pre-authentication is expanded in more high-rise work, utilizes extra mechanism that the IP address of the network that possibly move to from portable terminal is obtained in early days, and switches to this network on one's own initiative; Simultaneously, said portable terminal still is connected to current network.Presents is concentrated and is paid close attention to said MPA framework.When using such framework, based on the disclosure, those skilled in the art may be embodied as actual agreements collection and the detail operations that MPA selects.Below the file [I-D.ohba-mobopts-mpa-implementation] of sign provides a kind of method, has described use between existing protocol with mutual, thereby has realized that MPA is functional.

Performance requirement

For for interactive VoIP and streaming flow (streaming traffic) provide desired service quality, need the value of end-to-end delay, shake and data-bag lost be limited under certain threshold level.Acceptable value that ITU-T and ITU-E standard have been these parameter-definitions.For example, for one-way latency, ITU-T G.114 advise with 150 milliseconds as most upper limits of using, and with 400 milliseconds as common unacceptable delay.The one-way latency tolerance limit of video conference is 200 to 300 milliseconds scope.And,, think that then it is lost if after certain threshold value, receive unordered packet.Some measuring techniques that are used for delay and jitter have been described in the list of references of below listing [RFC 2679], [RFC 2680] and [RFC 2681].

End-to-end delay generally includes several sections, such as, network delay, operating system (OS) postpone, and CODEC postpones and application delay (application delay).Network delay comprises transmission delay, propagation delay and the queueing delay in intermediate router.The operating system correlation delay is made up of the scheduling behavior of transmit leg and recipient's operating system.The CODEC delay normally causes owing to the subpackage reconciliation packet at transmit leg and reception square end.

Application delay is mainly owing to playback delay (playout delay), and this delay helps the delay in the compensating network to change.Can utilize the appropriate value of playback buffer to adjust end-to-end delay and jitter value at receiver end.For example, under the situation of interactive voip traffic, end-to-end delay influences jitter value, and is the major issue that needs are considered.Between the frequent transfer period of mobile device (mobile), instantaneous delivery can not arrive mobile device, and this has also caused shake.

If terminal system has playback buffer, then playback buffer is included in this shake and postpones, otherwise, it is added to the delay of interactive flow.Data-bag lost normally by congested, route unsteadiness, link failure, causes such as the diminishing link of Radio Link.Between the transfer period of mobile device and since its adhere to the change of network, mobile device suffers data-bag lost.Therefore, for streaming flow and the interactive flow of VoIP, data-bag lost will influence the service quality of using in real time.

The number of data-bag lost is proportional to the speed of the flow that delay and mobile device between transfer period receive.Owing to retransmit, under the situation of TCP flow, the packet of losing causes congested, but under the situation based on the streaming flow of RTP/UDP, can not increase any congested.Therefore, in any mobile management scheme, the influence that reduces data-bag lost and switching delay is main points.In following part 2, explained that existing work switches (work fast-handover) fast, we have described some and have attempted reducing the quick handover scheme that switches.

According to following reference [ETSI] ETSI TR 101, normal voice conversation can be allowed maximum 2% data-bag lost.If mobile device frequently switches between session, then each switching all will influence the data-bag lost between transfer period.Therefore, need the maximum during the session be lost the acceptable level that is reduced to.

Data-bag lost in the streaming application does not also have clear and definite threshold value, but need reduce this data-bag lost as much as possible, thereby for concrete application better service quality is provided.

Existing work is switched fast

Although basic mobility management protocol; Such as; Move IP (referring to below with reference to data [RFC3344]), mobile IP v 6 (referring to below with reference to data [RFC 3775]), and SIP mobility (referring to below with reference to data [SIPMM]) provides solution; Think that TCP and rtp streaming amount provide continuity, but the optimization of the switching latent time when not carrying out for the frequent movement that reduces the mobile device between subnet and territory to these.Generally speaking, these mobility management protocols receive the influence of the switching delay that in several layer, takes place, and for example, said layer is the 2nd layer, the 3rd layer and the application layer that is used to upgrade the mobility binding of mobile device.

In present mobile management scheme, several kinds of optimisation techniques have been used, switching delay and data-bag lost when attempting reducing mobile device and between sub-district, subnet and territory, moving.(for example there are several kinds of little mobile management schemes; Referring to following reference [CELLIP] and reference [HAWAII]); And the mobile management scheme is (for example in the territory; Referring to following reference [IDMP] and [I-D.ietf-mobileip-reg-tunnel]), it provides quick switching through signaling update is limited in territory.The fast moving IP agreement (referring to following reference [I-D.ietf-mobileip-lowlatency-handoffs-v4] and [I-D.ietf-mipshop-fast-mipv6]) that is used for IPv4 and IPv6 network provides quick handoff technique, and it has utilized the mobility information that can obtain through the link layer triggers device.Yokota etc. (referring to following reference [YOKOTA]) have proposed to unite and have used access point and special-purpose MAC bridge, thereby do not change the MIPv4 standard quick switching can be provided.MACD scheme (referring to following reference [MACD]) has reduced because the MAC layer switches the delay that brings through the algorithm based on high-speed cache is provided.

Some mobile management schemes have been used double nip, therefore, the situation (referring to following reference [SUM]) of make-before-break (make-before-break) are provided.In the make-before-break situation, communication utilizes an interface to continue usually, and second interface is in by connection status.IEEE 802.21 working groups are going through these situations.

Compare client, utilize single interface to provide quick switching to need more careful designing technique with many interfaces.Following reference [SIPFAST] provides the handover scheme of optimizing for the mobile management based on SIP, wherein through utilizing application layer to transmit scheme instantaneous delivery is forwarded to new subnet from old subnet.Below reference [MITH] for single interface case quick handover scheme is provided, it has used the mobile device initialization tunnel effect (mobile initiated tunneling) between old Foreign Agent and new Foreign Agent.Following reference [MITH] has defined two types handover scheme, such as Pre-MIT and Post-MIT.

From some aspect, the MPA scheme that is proposed usually and the prediction scheme of MITH similar, in the MITH prediction scheme, actual move to new network before, mobile device and Foreign Agent communicate.Yet especially, the MPA scheme that is proposed that presents is described is not restricted to the mobility protocol of MIP type.In addition, this scheme also focuses on moving between the territory, and, except initiatively switching, also carry out pre-authentication.Therefore, especially, the scheme that is proposed can reduce bulk delay, makes it approach the link layer switching delay.

Technology

In presents, adopted following technology:

Mobility binding:

In the identifier of portable terminal and the binding between the finger URL.

Mobility management protocol (MMP):

In the agreement of network layer or more high-rise work, it maintains the identifier of portable terminal and the binding between the finger URL.

Binding Update:

Upgrade the process of mobility binding.

Be independent of the pre-authentication mobile node (MN) of medium:

Be independent of the portable terminal of the pre-authentication (MPA) of medium, said MPA moves auxiliary safe handover optimization scheme, and it works in any link layer, and utilizes any mobility management protocol.The MPA mobile node is the IP node.In presents, there are not term " mobile node " or " MN " of modifier to refer to " MPA mobile node ".The MPA mobile node also has mobile node functional of mobility management protocol usually.

The candidate target network (candidate target network, CTN):

Mobile device is about to move to network wherein.

Objective network (TN):

The mobile device decision moves to network wherein.From one or more candidate target networks, select said objective network.

The active handover tunnel (Proactive Handover Tunnel, PHT):

Two-way IP tunnel, it is based upon between the couple in router of MPA mobile node and candidate target network.In presents, there is not the term " tunnel " of modifier to refer to " initiatively handover tunnel ".

Attachment point (PoA)

Link layer device (for example, switch, access point or base station, etc.) it is as the link layer attachment point of MPA mobile node to network.

Care-of Address (CoA)

The employed IP of mobility management protocol address, it is as the finger URL of MPA mobile node.

The MPA framework

Following subdivision discussion is independent of the illustrative and the non-limiting aspect of pre-authentication (MPA) framework of medium.

1. general introduction

The pre-authentication (MPA) that is independent of medium is to move auxiliary safe handover optimization scheme, and it works in any link layer, and any mobility management protocol capable of using.Utilize MPA, mobile node not only can obtain the IP address and other configuration parameter of candidate target network (CTN) safely, and before it is physically connected to said CTN, can also utilize the IP address that is obtained to send and receive the IP packet.This makes said mobile node can accomplish the Binding Update of any mobility management protocol, and before the switching of carrying out at link layer, uses new CoA.

Through allowing mobile node to carry out the security association of (i) foundation and CTN; To protect follow-up protocol signaling, (ii) carry out configuration protocol then safely, to obtain IP address and other parameter from CTN; And carry out the tunnel management agreement; Between the couple in router of said mobile node and CTN, to set up initiatively handover tunnel (PHT), then (iii) utilize the IP address that is obtained as tunnel inner address, on PHT, send and receive the IP packet; This packet comprises the signaling message of the Binding Update that is used for mobility management protocol (MMP) and the packet that after accomplishing Binding Update, sends; And at last (iv) when said CTN becomes objective network, before being connected to this CTN, delete or forbid said PHT, and then mobile node being connected to this objective network after through interface immediately with the home address in the tunnel deleting or forbid redistribute to its physical interface; Thereby provide said functional; Wherein, said mobile node is connected to current network, but is not connected with CTN.Be substituted in to be connected to and delete or forbid said tunnel before the said objective network, can after being connected to said objective network, delete or forbid said tunnel immediately.

Especially, the 3rd step made mobile device can before the beginning link layer switches, accomplish the higher level switching.This means that mobile device can send and be received in the packet that is transmitted after the Binding Update of accomplishing on the tunnel, it still can send and be received in the packet that is transmitted before the Binding Update of accomplishing outside the tunnel simultaneously.

In above four MPA basic handling, the first step also is called as " pre-authentication ", and second step was called as " pre-configured ", and the quilt in third and fourth step closes and is called " safety is initiatively switched ".To be called " MPA-SA " through the security association that pre-authentication is set up.As noted before, will be called " initiatively handover tunnel " through the tunnel of pre-configured foundation (PHT).

2. function element

In said MPA framework, in a preferred embodiment, following function element is arranged in each CTN, to communicate with mobile node: checking agency (AA), Configuration Agent (CA) and couple in router (AR).In these elements some perhaps all can be placed in the network equipment of single network equipment or separation.

The checking agency is responsible for pre-authentication.Between mobile node and checking agency, carry out indentification protocol, to set up MPA-SA.Said indentification protocol needs to draw the key between mobile node and checking agency, and mutual checking can be provided.Said indentification protocol should be able to be carried out with the aaa protocol such as RADIUS and Diameter alternately, thereby the suitable authentication server in AAA infrastructure transports authentication certificate.Resulting key is used for further obtaining being used to protect the key of message, and said message is used to pre-configured and safety is initiatively switched.The key of other be used to boot link layer and/or network layer password also can obtain from MPA-SA.Can carry EAP (referring to, for example, below with reference to data [RFC 3748]) agreement be suitable for use in the indentification protocol of MPA.

Configuration Agent is responsible for the part of pre-authentication,, carries out configuration protocol safely that is, thereby safely IP address and other configuration parameter is passed to said mobile node.Need to utilize from protect the signaling message of said configuration protocol corresponding to the resulting key of the key of MPA-SA.

Couple in router is a router of being responsible for other pre-configured part,, carries out the tunnel management agreement safely that is, leads to the active handover tunnel of said mobile node with foundation, and utilizes said active handover tunnel to protect initiatively switching.Need to utilize from protect the signaling message of said configuration protocol corresponding to the resulting key of the key of MPA-SA.Should utilize from protect the IP packet that transmits in the active handover tunnel corresponding to the resulting key of the key of MPA-SA.

3. basic communication flows

Suppose that said mobile node has been connected to attachment point, i.e. oPoA (old attachment point), and distributed Care-of Address, i.e. oCoA (old Care-of Address).The communication stream of MPA is below described.Run through said communication stream, during the exchange process except step 5, will data-bag lost can not occur, and the data-bag lost that minimizes during this is the responsibility that link layer switches.

Step 1 (pre-authentication stage):

Mobile node is found to handle through some and is found CTN, and obtains said IP address, checking agency, Configuration Agent and couple in router among the CTN through certain methods.Said mobile node utilizes said checking agency to carry out pre-authentication.If said pre-authentication success then generates MPA-SA between mobile node and checking agency.Obtain two keys from MPA-SA, that is, MN-CA key and MN-AR key, it is respectively applied for the follow-up signaling message of protection configuration protocol and tunnel management agreement.Then, respectively with said MN-CA key and MN-AR secret key safety be sent to said Configuration Agent and said couple in router.

Step 2 (pre-configured stage):

Said mobile node recognizes that its attachment point possibly become new one from oPoA, that is, and and nPoA (new attachment point).It carries out pre-configured then; Configuration Agent through having used configuration protocol to be to obtain the IP address, that is, and and nCoA (new Care-of Address); And obtain other configuration parameter, and set up initiatively handover tunnel through the couple in router that has used the tunnel management agreement from said CTN.In said tunnel management agreement, said mobile node is registered oCoA and nCoA as tunnel external address and tunnel inner address respectively.Utilize the said pre-configured protocol signaling message of MN-CA key and MN-AR cryptographic key protection.When said Configuration Agent is arranged in identical equipment jointly with said couple in router, can said two agreements be combined into the single agreement of similar IKEv2.After accomplishing the foundation of said tunnel, said mobile node can utilize oCoA and nCoA to communicate before step 4 finishes.

Step 3 (safety is initiatively switched the main stage)

Said mobile node switches to said new attachment point through the certain methods decision.Before said mobile node switches to new attachment point, its through carrying out mobility management protocol Binding Update and on said tunnel transmission follow-up data flow begin safety and initiatively switch (main stage).In some cases; Can a plurality of nCoA of high-speed cache address; And utilize the opposite end main frame (correspondent host, CH) or home agent (HA) bind simultaneously (in mobile IP v 6 standard RFC3775 for example, when mobile node roams into external network; Will be for it distributes Care-of Address (CoA), and said mobile node will handle through Binding Update notify its new CoA to its home agent (HA) and peer node (CN)).

Step 4 (safety initiatively switching is pre-payed the stage of changing):

Said mobile node is accomplished Binding Update and is ready to exchange to new attachment point.Said mobile node can be carried out the tunnel management agreement, with deletion or forbid said active handover tunnel, and after deletion or forbidding said tunnel, high-speed cache nCoA.Switchover policy is depended in the decision when relevant said mobile node is ready to exchange to new attachment point.

Step 5 (exchange):

The switching of expectation link layer appears in this step.

Step 6 (safety is initiatively switched the back switching phase):

Said mobile node is carried out and should exchange be handled.After completing successfully said hand-off process, said mobile node recovers by the nCoA of high-speed cache immediately, and it is distributed to the physical interface that is connected to new attachment point.If do not have in step 4, to delete or forbid said active handover tunnel, then can or forbid this tunnel yet in this deletion.After this, need not to utilize initiatively handover tunnel, can utilize the direct transmits data packets of nCoA.

Couple in router is a router of being responsible for other pre-configured part,, carries out the tunnel management agreement safely that is, leads to the active handover tunnel of said mobile node with foundation, and utilizes this active handover tunnel to guarantee initiatively to switch.Must utilize from protect the signaling message of said configuration protocol corresponding to the resulting key of the key of MPA-SA.Should utilize from protect the IP packet that transmits in the active handover tunnel corresponding to the resulting key of the key of MPA-SA.

Reference

Especially, the present invention provides various raisings and improvement for the system and method for in below with reference to data, describing, and the whole of said reference are disclosed as a reference.

1.Bradner, S., " The Internet Standards Process-Revision 3 ", BCP 9, and RFC 2026, and October 1996. is called [RFC2026] at this.

2.Bradner, S., " IETF Rights in Contributions ", BCP 78, and RFC 3978, and March 2005. is called [RFC3978] at this.

3.Perkins, C., " IP Mobility Support for IPv4 ", RFC 3344, and August2002. is called [RFC3344] at this.

4.Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.Levkowetz, " Extensible Authentication Protocol (EAP) ", and RFC 3748, and June 2004. is called [RFC3748] at this.

5.Johnson, D., Perkins, C., and J.Arkko, " Mobility Support in IPv6 ", and RFC 3775, and June 2004. is called [RFC3775] at this.

6.Maiki; K.; " Low latency Handoffs in Mobile IPv4 ", draft-ietf-mobileip-lowlatency-handoffs-v4-09 (work in progress), June2004. is called [I-D.ietf-mobileip-lowlatency-handoffs-v4] at this.

7.Koodii, R., " Fast Handovers for Mobile IPv6 ", draft-ietf-mipshop-fast-mipv6-03 (work in progress), October 2004. is called [I-D.ietf-mipshop-fast-mipv6] at this.

8.Liebsch; M.; " Candidate Access Router Discovery, " draft-ietf-seamoby-card-protocol-O8 (work in progress), September 2004. is called [I-D.ietf-seamoby-card-protocol] at this.

9.Loughney, J., " Context Transfer Protocol, " draft-ietf-seamoby-ctp-11 (work in progress), August 2004. is called [I-D.ietf-seamoby-ctp] at this.

10.Aboba; B.; " Extensible Authentication Protocol (EAP) Key Management Framework ", draft-ietf-eap-keying-06 (work in progress), April 2005. is called [I-D.ietf-eap-keying] at this.

11.Forsberg; D.; " Protocol for Carrying Authentication for Network Access (PANA) ", draft-ietf-pana-pana-08 (work in progress) .May 2005. is called [I-D.ietf-pana-pana] at this.

12.ITU-T; " General Characteristics of International Telephone Connections and International Telephone Circuits:One-Way Transmission Time ", G.1141998. ITU-T Recommendation is called [RG98] at this.

13.ITU-T, " The E-Model, a computational model for use in transmission planning ", G.1071998. ITU-T Recommendation is called [ITU98] at this.

14.ETSI, " Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON) Release 3:End-to-end Quality of Service in TIPHON systems; Part 1:General Aspects of Quality of Service. ", ETSI TR 101 329-6V2.1.1. are called [ETSI] at this.

15.Kivinen, T.and H.Tschofenig, " Design of the MOBIKE protocol ", draft-ietf-mobike-design-02 (work in progress), February 2005. is called [I-D.ietf-mobike-design] at this.

16.Moskowitz, R., " Host Identity Protocol ", draft-ietf-hip-base-03 (work in progress), June 2005. is called [I-D.ietf-hip-base] at this.

17.Almes, G., Kalidindi, S., and M.Zekauskas, " A One-way Delay Metric for IPPM ", and RFC 2679, and September 1999. is called [RFC2679] at this.

18.Almes, G., Kalidindi, S., and M.Zekauskas, " A One-way Packet Loss Metric for IPPM ", and RFC 2680, and September 1999. is called [RFC2680] at this.

19.Almes, G., Kalidindi, S., and M.Zekauskas, " A Round-trip Delay Metric for IPPM ", and RFC 2681, and September 1999. is called [RFC2681] at this.

20.Simpson, W., " IP in IP Tunneling ", RFC 1853, and October1995. is called [RFC1853] at this.

21.Patrick, M., " DHCP Relay Agent Information Option ", RFC 3046, and January 2001. is called [RFC3046] at this.

22.Kirn,, P.; Volz, B., and S.Park; " Rapid Commit Option for DHCPv4 ", draft-ietf-dhc-rapid-commit-opt-05 (work in progress), June2004. is called [I-D.ietf-dhc-rapid-commit-opt] at this.

23.Ohba; Y.; " Media-Independent Pre-Authentication (MPA) Implementation Results "; Draft-ohba-mobopts-mpa-implementation-00 (work in progress), June2005. is called [I-D.ohba-mobopts-mpa-implementation] at this.

24.Schuizrine, H., " Application Layer Mobility Using SIP ", MC2R. is called [SIPMM] at this.

25.Cambell, A., Gomez, J., Kim; S., Valko, A., and C.Wan; " Design, Implementation, and Evaluation of Cellular IP ", IEEE Personal communication August 2000. are called [CELLIP] at this.

26.Ramjee, R., Porta, T., Thuel, S., Varadhan, K., and S.Wang, " HAWAII; A Domain-based Approach for Supporting Mobility in Wide-area Wireless networks ", International Conference on Network Protocols ICNP ' 99. is called [HAWAII] at this.

27.Das, S., Dutta; A.; Misra, A., and S.Das; " IDMP:An Intra-Domain Mobility Management Protocol for Next Generation Wireless Networks ", IEEE Wireless Communication Magazine October2000. is called [IDMP] at this.

28.Calhoun, P., Montenegro; G., Perkins, C.; And E.Gustafsson; " Mobile IPv4 Regional Registration ", draft-ietf-mobileip-reg-tunnel-09 (work in progress), July 2004. is called [I-D.ietf-mobileip-reg-tunnel] at this.

29.Yokota, H., Idoue; A.; And T.Hasegawa, " Link Layer Assisted Mobile IP Fast Handoff Method over Wireless LAN Networks ", Proceedings of ACM Mobicom 2002. are called [YOKOTA] at this.

30.Shin, S., " Reducing MAC Layer Handoff Latency in IEEE 802.11Wireless LANs ", MOBIWAC Workshop. is called [MACD] at this.

31.Dutta, A., Zhang, T., Madhani, S., Taniuchi, K., Ohba, Y., and H.Schulzrinne, " Secured Universal Mobility ", WMASH 2004. is called [SUM] at this.

32.Dutta, A., Madhani, S., and H.Schulzrinne, " Fast handoff Schemes for Application Layer Mobility Mahagement ", PIMRC 2004. is called [SIPFAST] at this.

33.Gwon; Y., Fu, G.; And R.Jain; " Fast Handoffs in Wireless LAN Networks using Mobile initiated Tunneling Handoff Protocol for IPv4 (MITHv4) ", Wireless Communications and Netwolrking 2003, Janualry2005. is called [MITH] at this.

34.Anjum, F., Das, S., Dutta; A., Fajardo, V., Madhani, S.; Ohba, Y., Taniuchi, K., Yaqub; R., and T.Zhang, " A proposal for MIH function and Information Service ", and A contribution to IEEE 802.21 WG, January 2005. is called [NETDISC] at this.

35. " IEEE Wireless LAN Edition A compilation based on IEEE Std802.11-1999 (R2003) ", Institute of Electrical and Electronics Engineers September 2003. are called [802.11] at this.

36.Dutta, A., " GPS-IP based fast-handoff for Mobiles ", NYMAN2003. is called [GPSIP] at this.

37.Vain, J.and G.Maguire, " The effect of using co-located care-of-address on macro handovelr latency ", 14th Nordic Teletraffic Seminar 1998. are called [MAGUIRE] at this.

Summary of the invention

The present invention improves on above-mentioned and/or other background technology and/or problem.

A kind of in being independent of the pre-authentication framework of medium the reset method of (switch back) relevant switching judgement of control and the exchange of mobile node between first network and second network; It comprises: a) for said mobile node position determination module is provided, it is configured to provide the position about the access point in the adjacent network to confirm; B) part utilizes location-based algorithm to avoid the vibration between said first and second networks based on the output of said position determination module at least.

In some instances, said method further comprises, wherein, said location-based algorithm is based, at least in part, on the position and relevant with the previous change action of this mobile node relevant by between the data of high-speed cache of mobile node.In some instances, said method further comprises: wherein, said data by high-speed cache are stored in the digital data storage unit on the said mobile node.In some instances; Said method further comprises: wherein; Said location-based algorithm comprises based on another the exchange that is provided to about the data of instance in the past in said first network and said second network; Wherein, said mobile node is exchanged in said first network and said second network another.In some instances; Said method further comprises: said location-based algorithm comprises based on another the exchange that is not provided to about the data of instance in the past in said first network and said second network; Wherein, said mobile node is not exchanged in said first network and said second network another.In some instances, said method further comprises: said position determination module comprises gps receiver.In some instances, said method further comprises: utilize location-based algorithm to avoid the vibration between said first network and second network, it comprises having at least the algorithm of part based at least one non-position instruction value.In some instances, said at least one non-position instruction value comprises the indicated value of signal to noise ratio.In some instances; Said method comprises: said first network is to first medium, and said second network is to different media, wherein; Said first medium is a cellular network; And said different medium is a WLAN, and perhaps said first medium is a WLAN, and said different medium is a cellular network.

According to some other embodiment; The method of the influence that a kind of undesirable exchange that in being independent of the pre-authentication framework of medium, alleviates the mobile node between first network and second network resets; It comprises: a) keep context (context) a period of time relevant with first network, thereby make when mobile node is got back to said first network said context of quick-recovery soon; B) make said mobile node after returning said first network, use said context.In some instances, said method further comprises: wherein, said context is stored in the digital data storage unit on the mobile node, and comprises the relevant data of perhaps being set up with security association, IP address in tunnel.In some instances, said first network is to first medium, and said second network is to different media; Wherein, said first medium is a cellular network, and said different medium is a WLAN; Perhaps said first medium is a WLAN, and said different medium is a cellular network.

According to some other embodiment; The method of the influence that a kind of undesirable exchange that in being independent of the pre-authentication framework of medium, alleviates formerly network and the mobile node between the new network resets; It comprises: in a period of time, send packet to said previous network and said new network, thereby avoid when the data-bag lost of said mobile node when said new network is got back to said previous network.In some instances, the step of said transmission packet comprises the said packet of multicast (bicasting).In some instances, said previous network is to first medium, and said new network is to different media; Wherein, said first medium is a cellular network, and said different medium is a WLAN; Perhaps said first medium is a WLAN, and said different medium is a cellular network.

With reference to accompanying drawing, will further explain above-mentioned and/or others, characteristic and/or the advantage of various embodiment according to following description.Various embodiment can comprise and/or get rid of different applicable aspect, characteristic and/or advantage.In addition, various embodiment can combine one of applicable other embodiment or more many-side or characteristic.The description that should not be considered as aspect, characteristic and/or advantage to specific embodiment is used for limiting other embodiment or claim.

Description of drawings

Fig. 1 is a flow chart, and it has described the basic communication flow process according to some illustrative example, and Fig. 2 continues this flow chart;

Fig. 2 is a flow chart, and it has described the follow-up basic communication flow process of flow chart shown in Figure 1;

Fig. 3 is a block diagram, and it has described the bootstrapping according to the link layer security of some illustrative example; And

Fig. 4 is an Organization Chart, and it shows the exemplary sub-components according to illustrative access point and the illustrative client device or the subscriber station of illustrative example more of the present invention.

Embodiment

Show the preferred embodiments of the present invention in the accompanying drawings by way of example, this is not as restriction.

Though with a lot of multi-form the present invention that implemented; At this some illustrative example have been described; It will be appreciated that; Purpose of the present disclosure is to principle of the present invention provides example, and these examples are not to be used for being restricted to described here the present invention and/or at the preferred embodiment of this explanation.

Go through

In order to be that the switching that optimization is provided is switched in mobile experience quick subnet (mobile experiencing rapid subnet) and territory, we solve several problems.These problems comprise finds contiguous network element; Select correct network to connect based on some strategy; Change the 2nd layer of attachment point, obtain the IP address, confirm the uniqueness of this IP address from DHCP or PPP server; The checking of utilization such as the aaa server in special domain agency carries out pre-authentication, sends Binding Update and obtains for the streaming flow, the ping-pong that are redirected of new attachment point and the possibility that moves to a more than network to the opposite end main frame.Below discuss and under the linguistic context of initiatively switching based on the safety of MPA, solve or optimize problem and the method aspect these.

1. find

During rapid movement, find to help to accelerate said hand-off process between network at mobile device such as the adjacent network element of access point, couple in router, authentication server.Find said People Near Me through utilizing desired coordinate set, ability (capability) and parameter; When in said previous network; Said mobile device can carry out many operations, such as pre-authentication, initiatively the IP address obtain, initiatively address resolution, and Binding Update.

Mobile device has several method to find said adjacent network.Candidate access router discovery agreement (referring to above reference [I-D.ietf-seamoby-card-protocol]) helps in adjacent networks, to find said candidate access router.Given certain network domains, positioning service agreement (SLP) and domain name service (DNS) help to provide for the given services set in the said specified domain address of networking component.In some cases, when mobile device near near the said adjacent network time, can be through send network layer and higher level parameters more such as the link layer management frames of beacon.IEEE 802.11u is considering to find such as the information of utilizing link layer to comprise neighbours' item.Yet if encrypt said link layer management frames through some link layer security mechanisms, said mobile node then can not obtain needed information before the link layer that is established to access point connects.In addition, this will increase burden to the wireless medium of limited bandwidth.In this case, preferentially use upper-layer protocol more to obtain the information of relevant neighbouring element.In above-mentioned reference [NETDISC], some of the recommendations are arranged, it helps to obtain from the mobility service device information of these relevant adjacent networks.When the motion of mobile device was about to take place, it begins said discovery through the inquiry particular server handled, and obtains required parameter, such as the sip server or the authentication server of the IP address of access point, its characteristic, router, adjacent network.Under the situation of a plurality of networks, it can obtain the parameter of said needs from a more than adjacent network, and these are kept in the high-speed cache.At certain a bit, said mobile device finds several CTN from many possible networks, and through with CTN in needed entity communicate and begin said pre-authentication and handle.To further illustrate the details of this situation in following part 2.

2. the pre-authentication in many CTN environment

In some cases, although mobile device decision with certain particular network as objective network because some exceed the factor of said mobile device control, it possibly in fact finally move to the adjacent network outside the said objective network.Therefore, utilizing some possible candidate target networks to carry out pre-authentication, and be utilized in the tunnel that each destination router in those networks establishes the time limit, possibly be useful.Therefore, under the situation of the objective network of before mobile device does not move to, confirming, because it finally moves to different objective networks, it can not receive because back checking and IP address obtain the adverse effect that delay causes data-bag lost.Can see that through utilizing some candidate target networks to carry out pre-authentication and keeping said IP address, mobile device can be supplied the resource that can use in addition.But because this occurs over just in the finite time, this is not a big problem.Said mobile device uses the pre-authentication flow process to obtain the IP address on one's own initiative, and utilizes the target couple in router to establish the tunnel in time limit.

Under normal conditions, mobile device is that virtual interface distributes new IP address.But obtaining from adjacent network under the situation of a plurality of IP address, it can do two things.Its IP address that can be used to the network that self-moving device decision goes generates a virtual interface, and perhaps, it can utilize from each IP address that adjacent network obtains and generate a plurality of virtual interfaces.Mobile device can be selected one as the Binding Update address from these addresses, and sends it to opposite end main frame (CH), and therefore, when in the network formerly, will receive tunnel traffic (tunneled traffic) via objective network.But in some instances, mobile device finally moves to the network outside the said objective network.Therefore, when mobile device moves to new network, because mobile device need will occur interruption through new IP address of over-allocation and the process of sending Binding Update once more on the flow.Can propose two kinds of solutions and handle this problem.Mobile device can utilize mobility binding simultaneously and send a plurality of Binding Updates to the main frame of correspondence.Therefore, said respective hosts in the period of confirming to a plurality of IP address transmitted traffic of distributing to virtual interface.After mobile device moved to said new network, this Binding Update was refreshed at CH, thereby stopped the data flow to other candidate network.Under the situation that specific mobility scheme is not supported to bind simultaneously, will help to handle said instantaneous delivery from previous objective network converting flow, up to new Binding Update occurring from said new network.

3. initiatively the IP address obtains

Generally speaking, mobility management protocol is worked with Foreign Agent (FA), perhaps is in co-located address pattern (co-located address mode).Our MPA method can be used co-located address pattern and these two kinds of patterns of foreign agent address pattern.We discuss the address assignment assembly that is used for the co-located address pattern here.Exist several kinds to obtain the IP address and dispose the method for himself by mobile node.Prevailing, in said network, have no under the situation such as the configuration component of server or router, mobile device can dispose himself statically.IETF Zeroconf working group has defined automatic IP mechanism, disposes mobile device with ad hoc mode therein, and from choosing unique address such as the particular range of 169.254.x.x.In lan environment, said mobile device can obtain the IP address from DHCP (DHCP) server.Under the situation of IPv6 network, mobile device has the stateless utilized, and automatically configuration or DHCPv6 obtain the selection of IP address.In the Wide Area Network environment, mobile device uses PPP to obtain said IP address through communicating with network access server (NAS).

Each cost hundreds of millisecond of these processing is to the time of several second-times, and this depends on that the IP address obtains the type of processing and the operating system of client and server.

Because the part of hand-off process when the IP address obtains, it has increased switching delay, and therefore, expectation reduces this time as far as possible.Can use several kinds of optimisation techniques; Such as; DHCP (for example confirms fast; Referring to above reference [I-D.ietf-dhc-rapid-commit-opt]) and based on the IP address (for example, referring to above reference [GPSIP]) of gps coordinate, it attempts to reduce because the switching time that IP address acquisition time causes.Yet in all these situation, after mobile device moved to new subnet, it also obtained said IP address, and, because the signaling between mobile node and Dynamic Host Configuration Protocol server is shaken hands, also some delays can take place.

In following paragraph, we will describe mobile node can obtain the certain methods of IP address and the tunnel that is associated is set up and handled on one's own initiative from CTN.Can these be broadly defined as four classifications, such as, the auxiliary initiatively IP address of PANA obtains, the auxiliary initiatively IP address of IKE obtains, only utilizes the active IP address of DHCP to obtain and utilize stateless to obtain the active IP address of configuration automatically.

3.1PANA auxiliary initiatively IP address obtains

Under the auxiliary initiatively situation that the IP address obtains of PANA, said mobile node obtains the IP address on one's own initiative from CTN.Said mobile node uses PANA message on dhcp relay agent, to trigger the address and obtains processing, and said dhcp relay agent and PANA checking agency are arranged in the couple in router of CTN jointly.After said mobile node receives PANA message, dhcp relay agent carries out normal dhcp message exchange, obtains the IP address with the Dynamic Host Configuration Protocol server from CTN.This address is carried in the PANA message, and is sent to client.Under the situation of the MIPv6 with the automatic configuration of stateless, the part that the router advertisement of the objective network of making a fresh start is used as PANA message passes to said client.Mobile device uses this prefix and MAC Address to construct unique IPv6 address, just as it will be carried out in new network.The working method of the mobile IP v 6 in state model and DHCPv4 are very similar.

3.2IKEv2 auxiliary initiatively IP address obtains

When IPsec gateway and dhcp relay agent were arranged in each couple in router of CTN, the auxiliary initiatively IP address of IKEv2 obtains carried out work.In this case, IPsec gateway among the CTN and the Dynamic Host Configuration Protocol server of dhcp relay agent auxiliary moving node from CTN obtain the IP address.The MN-AR key of setting up in the pre-authentication stage is used as the shared in advance secret of the needed IKEv2 of operation IKEv2 between mobile node and couple in router.Through utilizing the colocated dhcp relay agent to obtain the IP address from CTN, as the part that standard I KEv2 handles, the Dynamic Host Configuration Protocol server of wherein said dhcp relay agent from the objective network that has used standard DHCP obtains the IP address.The IP address that is obtained is sent out back IKEv2 and disposes the client in the quiet lotus exchange (IKEv2Configuration Payload Exchange).In this case, IKEv2 also is used as the initiatively tunnel management agreement (referring to the 5th following part) of handover tunnel.

3.3 only utilize the active IP address of DHCP to obtain

Substitute as another kind, through allowing to carry out direct DHCP data between DHCP relay or the Dynamic Host Configuration Protocol server in mobile node and CTN, need not to rely on the method based on PANA or IKEv2, DHCP can be used to obtain the IP address from CTN on one's own initiative.In this case, dhcp relay agent or the Dynamic Host Configuration Protocol server of mobile node in CTN sends the clean culture dhcp message, with request address, utilizes the address that is associated with current physical interface as the source address of asking simultaneously.

When said message is sent to dhcp relay agent, said dhcp relay agent said dhcp message of relaying back and forth between mobile node and Dynamic Host Configuration Protocol server.Do not having under the situation of dhcp relay agent, mobile device also can be directly and the Dynamic Host Configuration Protocol server in the objective network communicate.Clean culture that should client finds that the broadcast option in the message is set to 0, directly sends it back said mobile device thereby said relay agent or Dynamic Host Configuration Protocol server can utilize the source address of mobile node to reply.Utilize state configuration, this mechanism also can be used in the IPv6 node.

In order to prevent that malicious node from obtaining the IP address from Dynamic Host Configuration Protocol server, should use DHCP checking or the said couple in router should the mounting filtering device, sent to said long-range Dynamic Host Configuration Protocol server to stop the clean culture dhcp message from mobile node without pre-authentication.When using the DHCP checking, the MPA-SA that can between the agency of the checking mobile node and said candidate target network, set up obtains the DHCP authentication secret.

The physical interface of mobile node is given in the IP address assignment that said active is not obtained, and does not move to new network up to said mobile device.Therefore, should not give said physical interface, and should distribute to the virtual interface of client the said IP address assignment that initiatively obtains from said objective network.Therefore, can carry extra information, be used for it is distinguished with other address of distributing to said physical interface mutually via the IP address that the active of DHCP relay in said mobile node and CTN or the direct DHCP data between the Dynamic Host Configuration Protocol server gets access to.

3.4 utilizing stateless obtains the active IP address of configuration automatically

Under the situation of IPv6, utilize DHCPv6 or stateless to dispose automatically and carry out network address configuration.In order to obtain new IP address on one's own initiative, can on the tunnel of being set up, send the router advertisement of next hop router, and generate new IPv6 address based on the prefix and the MAC Address of mobile device.This address is assigned to the virtual address of client, and sends to home agent or peer node as Binding Update.Said router advertisement can easily be sent to the oCoA of mobile device, wherein usually the said router advertisement of transmission on the multicast address of scope is being arranged.To avoid like this obtaining the IP address and carrying out the needed time of duplicate address detection.

After mobile device got into new network, mobile node can carry out DHCP on the physical interface of the network new to this, thereby DHCP INFORM obtains such as other configuration parameters such as sip server, dns servers through for example utilizing.These will can not influence ongoing communication between mobile device and opposite end main frame.And said mobile node can carry out DHCP to the physical interface of said new network, the rental period of the address that before getting into this new network, initiatively obtains with expansion.

In order to keep DHCP binding for mobile node; And remember institute's IP address allocated after before safety is initiatively switched, reaching; For being used for DHCP that IP address initiatively obtains and the DHCP that said mobile node target approach network after, is carried out, needs be used for said mobile node with identical dhcp client identifier.The MAC Address that said dhcp client identifier can be a mobile node or some other identifiers.In stateless automatically under the situation of configuration, said mobile device checks watching the prefix of the router advertisement in the new network, and the prefix of the IP address of itself and late allocation is complementary.If these are identical really, then said mobile device need not experience said IP address once more and obtain the stage.

4. address resolution item

4.1 active duplicate address detection

When Dynamic Host Configuration Protocol server distributing IP address, it upgrades its occupancy chart, thereby no longer that this is identical address is given and another client in special time.Simultaneously, said client is also local to keep an occupancy chart, thereby it can upgrade when needed.In some cases, network is made up of the client that DHCP and non-DHCP launch, and might be used to have from the IP of dhcp address pool address configuration another client of LAN.

In this situation, said server carries out duplicate address detection based on ARP (address resolution protocol) or before distributing said IP address, carries out IPv6 neighbours and find.This testing process possibly expend 4 to 15 seconds time (referring to, for example above reference [MAGUIRE]) and will cause more switching delay.Obtain under the situation of processing in active IP address, carry out this detection in advance, thereby, said switching delay do not influenced fully.Through carrying out said duplicate address detection in advance, we have reduced the switching delay factor.

4.2 initiatively address resolution is upgraded

In pre-configured process; Also can know after being connected to said objective network; Needed address resolution mapping when the node in said mobile node and the objective network communicates, wherein said node possibly be couple in router, checking agency, Configuration Agent, and peer node.Multiple mode of carrying out this active address resolution is arranged.

1. use information service mechanism (for example, referring to above reference [NETDISC]) to resolve the MAC Address of said node.Possibly require each node in the objective network to relate to said information service like this, thereby make the server of said information service can construct the initiatively database of address resolution.

2. expansion is used for the indentification protocol of pre-authentication or is used for pre-configured configuration protocol, to support initiatively address resolution.For example, if use the indentification protocol of PANA as pre-authentication, PANA message can be carried and is used for the initiatively AVP of address resolution.In this case, on behalf of mobile node, the checking of the PANA in objective network agency can carry out address resolution.

3. also can use DNS shine upon with objective network in the MAC Address of specified interface of assigned ip address of network element.Can define new DNS source record (RR), to resolve the MAC Address of the node in the objective network on one's own initiative.But because MAC Address is the source that is tied to the IP address rather than is directly bound to domain name, this method has the limitation of himself.

When mobile node is connected to objective network, need not to the node in the objective network carries out the address resolution inquiry, it can install the address resolution mapping that said active obtains.

On the other hand, as long as said mobile node is connected to said objective network, be arranged in objective network and the said node of communicating by letter with said mobile node also should be the address resolution mapping that said mobile node upgrades them.Above active address resolution method also can be used to those nodes, thereby before said mobile node is connected to objective network, resolves the MAC Address of said mobile node on one's own initiative.Yet, because before the address resolution mapping of adopting said active to resolve, those nodes need detect the connection of said mobile node to said objective network, do not use like this.A kind of better method is to combine joint detection and address resolution map updating.This is based on carry out address resolution (referring to above reference [RFC 3344] and reference [RFC 3775]) free of chargely; Wherein after said mobile node is connected to new network; Said mobile node sends ARP(Address Resolution Protocol) ARP request or ARP immediately and answers under the situation of IPv4; Perhaps under the situation of IPv6, send neighbor advertisement, thereby the said node in the objective network can upgrade said address resolution mapping for mobile node fast.

5. tunnel management

After the Dynamic Host Configuration Protocol server from CTN initiatively obtains the IP address, set up initiatively handover tunnel between the couple in router in said mobile node and said CTN.Said mobile node uses the IP address that is obtained as tunnel inner address, and most probably, it gives virtual interface with said address assignment.

Utilize the tunnel management agreement to set up said active handover tunnel.When IKEv2 being used for initiatively the IP address obtains, IKEv2 also is used as said tunnel management agreement.

Alternatively, when PANA being used for initiatively the IP address obtains, can PANA be used as said secure tunnel management agreement.

In case set up said active handover tunnel between the couple in router in mobile node and candidate target network; On behalf of said mobile node, said couple in router also need carry out agent address and resolve, thereby it can catch any packet that the destination is the new address of said mobile node.

Because in the time of in the network formerly, mobile device needs and can communicate with peer node, need Binding Update and section data that will be from the peer node to the mobile node or all send it back said mobile node through the active handover tunnel.When session initiation protocol (SIP) when mobility is used to mobility management protocol, utilize SIP Re-INVITE, new address is reported to peer node as the contact address.In case the sip user agent of said peer node has obtained said new contact address, it sends OK to new contact address, and wherein, in fact said new contact address belongs to said objective network.Because said OK signal points to said new contact address, the couple in router in the said objective network extracts said OK signal, and sends it to the mobile device in the previous network.The last ACK message of reception from the mobile device to the peer node.When lacking the access filtration, can not need send data to said peer node from said mobile device.After completion SIP Re-INVITE signaling is shaken hands, will send to said mobile device from the data of peer node via the active handover tunnel.

After said mobile node is connected to said objective network, point to said mobile node in order to make flow, need deletion or forbid said active handover tunnel.The said tunnel management agreement that is used to set up the tunnel promptly is used for this purpose.

Alternatively, as long as said mobile device moves to objective network, when using PANA, can trigger deletion or forbidding through the PANA update mechanism in the tunnel of couple in router as said indentification protocol.The link layer triggers device guarantee said mobile node be connected to really said objective network and, also can it be used as deletion or forbid the trigger in said tunnel.

6. Binding Update

For different mobile management schemes, there is the Binding Update mechanism of several types.In some cases,, only Binding Update is sent to said home agent (HA), and under the situation of mobile IP v 6, Binding Update is sent to said home agent and corresponding main frame such as the mobile IPv 4 that does not have RO.Under the situation based on the terminal mobility of SIP, mobile device utilizes Re-INVITE to send Binding Update to peer node, sends registration message to Register.Based on the distance between said mobile device and the peer node, Binding Update possibly cause switching delay.SIP-fast switches (for example, referring to [SIPFAST]) provides the several method that is used to reduce the switching delay that causes owing to Binding Update.Under the situation that utilization is initiatively switched based on the safety of the mobile management of SIP, we get rid of the delay that causes owing to Binding Update fully, because it betides in the previous network.Therefore, when said peer node during away from said communication mobile node, this scheme is more attractive.

7. prevent data-bag lost

Under the MPA situation, we do not observe owing to any data-bag lost that the IP address obtains, safety verification and Binding Update cause.Yet, before said mobile node can be connected to objective network, possibly have some transient data bags (transient packet) when the link layer that points to said mobile node switches.Possibly lose these transient data bags.

Can use multicast or cushion said transient data bag and minimize or eliminate data-bag lost at couple in router.Yet, not switch if seamlessly carry out link layer, multicast can not be eliminated data-bag lost.On the other hand, buffering does not reduce the packet delay.Although can come the offset data packet delay through carrying out playback buffer, use not too big help of playback buffer for the interactive VoIP that is impatient at big delay jitter at the receiver-side that is used for the streaming application.Therefore, in any case, optimize link layer and switch still extremely important.

In addition, said MN also can guarantee before exchanging from old attachment point, can arrive said new attachment point.This can carry out through utilizing new attachment point exchange link layer-management frame.Should carry out this reachability check as early as possible.For the data-bag lost during the anti-reachability check here, during this reachability check, should delay the data packet transmission on the link between said MN and the old attachment point through cushion said packet at the two ends of said link.Can carry out this buffering in every way, can understand it based on presents.

8. consider the exchange of failure and gain

Ping-pong is to switch one of FAQs of finding in the situation.When mobile device was in the border of sub-district or decision-point and frequently carries out hand-off process, such ping-pong appearred.

Especially be that this has caused higher call drop possibility, lower quality of connection, the signaling traffic and the wasting of resources of increase.All these has influenced mobility optimization.Handoff algorithms is the decisive factor of between said network, switching.Usually, the value that these algorithms use threshold value to come the comparison difference to measure, thus determine said switching.Said measuring comprises signal strength signal intensity, path loss, Carrier interference ratio (CIR), signal-to-jamming ratio (SIR), BER (BER), power budget etc.

For fear of ping-pong, said decision making algorithm has been used some other parameters, such as hysteresis margin (hysteresis margin), stop timer and average window.For the high-speed mobile vehicle, can consider that also other parameter is to reduce said ping-pong, such as speed, mobile device position, flow and the bandwidth feature etc. of the distance between mobile host (MH) and attachment point, mobile device.

Recently, some other handoff algorithms is arranged, it helps in the environment of heterogeneous network, to reduce said ping-pong, and it is based on such as technology such as hypothesis testing, Dynamic Programming and mode identification technologys.Though realize that handoff algorithms is very important to reduce said ping-pong, and realize that the method for recovering in the effect from then on is also very important.

Under the situation of MPA framework, ping-pong will cause mobile device moving back and forth between current network and the objective network and between the candidate target network.Because the foundation of various tunnels, the number of Binding Update and relevant switching latent time, the MPA of current form will be affected.Because ping-pong is relevant with switching rate, it also will cause postponing and data-bag lost.

In certain embodiments, proposed several kinds of algorithms now, its execution has been helped to reduce the possibility of ping-pong.In addition, now also gone out several kinds of methods that are used for the MPA framework, it can recover the data-bag lost that ping-pong causes.

In certain embodiments, the MPA framework can use global positioning system (GPS) to utilize the geographical position of said mobile device with respect to the AP in the adjacent network.In this, illustrative gps system comprises the constellation of the satellite that rotates around the earth, and allows gps receiver accurately to measure its geographical position.For fear of the vibration between the network, utilize customer location and the data of the high-speed cache attempted from previous switching between correlation, can obtain location-based intelligent algorithm.In some cases, the position possibly not be the unique designator that is used to switch judgement.For example, in the network of Manhattan (Manhattan) type, although mobile device near AP, it possibly not have enough signal noise ratios (SNR) to carry out good connection yet.Therefore, mobility pattern and Path Recognition might help avoid said ping-pong.

When shortage can be avoided the good handoff algorithms of ping-pong, possibly need to propose good Restoration Mechanism, thereby alleviate said ping-pong.The context set up maybe be in a period of time in current network, kept, thereby when mobile device is got back in this contextual network of use last time, fast quick-recovery can be carried out.Tunnel that these contexts can comprise security association, employed IP address, set up etc.Under situation about moving back and forth between the network, in the predefined period, data multicast also will be helped to handle the packet of losing to previous network and new network at mobile device.Mobile device should be able to confirm with respect to the table tennis situation, whether it is in stable state.

9. link layer security and mobility

Be utilized in the MPA-SA that sets up between the checking agency among mobile node and the CTN, in the pre-authentication stage, when said mobile node is as follows in current network, the link layer security among the CTN that can boot.

1.CTN in checking agency and said mobile node utilize said MPA-SA to obtain PMK (pairwise master key) (referring to above reference [I-D.ietf-eap-keying]), the foundation of wherein said MPA-SA is successfully the result of pre-authentication.During pre-authentication, possibly relate to and carry out EAP and aaa protocol, to set up said MPA-SA.From said PMK, obtain being used for the different TSK (instantaneous session key) (referring to above reference [I-D.ietf-eap-keying]) of mobile node directly or indirectly for each attachment point of CTN.

2. said checking agency can install the key that obtains from PMK, and is used for the security association of attachment point.Resulting key can be TSK or be intermediate key, obtain TSK by said intermediate key again.

3. select CTN as objective network and after exchanging to the attachment point in the objective network (it has become new network now for mobile node) at said mobile node; It utilizes said PMK to carry out such as the security association agreement of IEEE 802.11i 4 to shake hands [802.11i]; To set up PTK (paired instantaneous key) and GTK (the instantaneous key of group) (referring to above reference [I-D.ietf-eap-keying]), it is used to protect the link layer packet between mobile node and attachment point.Do not need to carry out in addition eap authentication at this.

4. when said mobile node was roamed in said new network, said mobile node only need carry out the security association agreement with its attachment point, and does not need to carry out in addition eap authentication.Can utilize in this way such as the link layer handover optimization mechanism of 802.11r and come integrated MPA.

Said mobile node possibly known the link-layer identification of attachment point among the CTN, to obtain TSK.If use the indentification protocol of PANA as pre-authentication; This can realize (referring to above reference [I-D.ietf-pana-pana]) through the PANA bind-request message of sending from PAA, carrying device id AVP, and wherein each property value comprises the BSSID (BSSID) of different access points to (AVP).

With reference to figure 3, the bootstrapping link layer security according to some illustrative example has been described its diagrammatic.

10. the checking during initial network connects

When said mobile node is initially connected to network, will the occurring network access verification, and irrelevant with the use of MPA.When MPA was used for handover optimization, the agreement that is used for network access authentication can be a link layer network access authentication agreement, and such as IEEE 802.1X, perhaps upper layer network access verification agreement more is such as PANA.

11. security consideration

Presents has been described and has been based on the framework that switches the safe handover optimization mechanism of relevant signaling between one or more candidate target networks that mobile node and this mobile node possibly move in the future.This framework related to before said mobile node physically is connected among those CTN, obtained resource from said CTN, and carried out packet from the mobile node of CTN to current network and be redirected.

In order to prevent that undelegated mobile node from obtaining said resource, obtain resource from said candidate target network and must be attended by suitable authentication vs. authorization process.For this reason, it is extremely important that the MPA framework can carry out pre-authentication between said mobile node and candidate target network.As the result of the pre-authentication of success and the MN-CA key and the MN-AR key that generate can be protected follow-up hand off signaling bag and the packet that in said mobile node and CTN, exchanges between the MPA functional element.

Said MPA framework has also solved the safety issue when a plurality of management domains of leap carry out said the switching.Utilize MPA, hand off signaling is carried out in the router or the direct communication between the mobility agent that can be based in said mobile node and the candidate target network.This has eliminated the needs to context transfer protocol, owing to there is known restriction (referring to above reference [I-D.ietf-eap-keying]) in the reason of this agreement aspect the fail safe.For this reason, said MPA framework does not require the trusting relationship between management domain or couple in router, makes said framework more be prone to utilization on the internet like this, and can not damage the fail safe in the mobile environment.

Broad scope of the present invention:

Though described illustrative example of the present invention at this; The invention is not restricted to various preferred embodiment described here; Also comprise any and all (for example have the element that is equal to, modification, omission, combination; Cross over the various aspects of various embodiment), adjustment and/or change, those skilled in the art are appreciated that these aspects based on the disclosure.Based on the restriction in the language interpreted in its broadest sense, ie claim of using in the said claim (for example, comprise afterwards to increase), its be not limited to this explanation or during application is carried out described example, can these examples be interpreted as that right and wrong are exclusive.For example, in the disclosure, term " preferably " right and wrong are exclusive, and it means " preferably, but be not limited to ".In this is open and during this application carries out; For concrete claim restriction; When only in said restriction, having following all conditions, will be only operative installations add function or step adds the function restriction: a) clearly narrated " be used for ... device " or " be used for ... step "; B) clearly narrated function corresponding; Structure, material or the action of the structure of and c) supporting not narrate out.In this is open and during this application carries out, term " the present invention " or " invention " are used in reference to for the one or more aspects in the disclosure.Should or not invent the sign that this term is interpreted as description inadequately with the present invention; Should it be interpreted as yet and be applied to all aspects or embodiment (promptly; Should it be interpreted as that the present invention has some aspects and embodiment), and should it be interpreted as the scope that limits the application or claim inadequately.In this is open and during this application carries out, term " embodiment " can be used to describe any aspect, characteristic, process or step, any combination wherein, and/or wherein any part etc.In some instances, various embodiment can comprise overlapping characteristic.In the disclosure, can use following abbreviated term: " e.g. " expression " for example ".

Claims

1. the method for the switching judgement that control and the exchange of mobile node between first network and second network reset relevant in being independent of the pre-authentication framework of medium may further comprise the steps:

A) for said mobile node position determination module is provided, it is configured to provide the position about the access point in the adjacent network to confirm;

B) part utilizes location-based algorithm to avoid the vibration between said first and second networks based on the output of said position determination module at least,

Said location-based algorithm comprises the instance in the past of confirming that mobile node exchanges between network, and confirms the criterion of switching based on said instance;

Said pre-authentication framework comprises that before said mobile node was from said first network mobile to said second network, said mobile node and said second network carried out pre-authentication.

2. method according to claim 1, wherein, said location-based algorithm is based, at least in part, on the position and relevant with the previous change action of this mobile node relevant by between the data of high-speed cache of mobile node.

3. method according to claim 2, wherein, said data by high-speed cache are stored in the digital data storage unit on the said mobile node.

4. method according to claim 2; Wherein, Said location-based algorithm comprises based on the data about in the past instance and is provided to another the exchange in said first network and said second network; Wherein, in the instance in said past, said mobile node be switched in said first network and said second network said another.

5. method according to claim 2; Wherein, Said location-based algorithm comprises based on the data about in the past instance and is not provided to another the exchange in said first network and said second network; Wherein, in the instance in said past, said mobile node be not switched in said first network and said second network said another.

6. method according to claim 1, wherein, said position determination module comprises gps receiver.

7. method according to claim 1, wherein, saidly utilize location-based algorithm to avoid the vibration between said first network and second network to comprise: make said algorithm at least part based at least one non-position instruction value.

8. method according to claim 7, wherein, said at least one non-position instruction value comprises the indicated value of signal noise ratio.

9. method according to claim 1 wherein, is carried out said algorithm through programming in said mobile node.

10. method according to claim 1 wherein, is carried out said algorithm through programming in the outside of said mobile node at least in part.

11. method according to claim 1 further comprises: the link layer diagnostic network access verification agreement that is utilized between the checking agency on said mobile node and said second network is carried out pre-authentication.

12. method according to claim 1 further comprises: cross over a plurality of management domains and carry out pre-authentication.

13. method according to claim 1, wherein, said first network is to first medium; And said second network is to different media; Wherein, said first medium is a cellular network, and said different medium is a WLAN; Perhaps said first medium is a WLAN, and said different medium is a cellular network.

14. method according to claim 2 further adopts PANA as the network access authentication agreement.

15. the method for the influence that a undesirable exchange that in being independent of the pre-authentication framework of medium, alleviates formerly network and the mobile node between the new network resets comprises step:

Use location-based algorithm to alleviate the vibration between first and second networks, said location-based algorithm comprises the instance in the past of confirming that mobile node exchanges between network, and confirms the criterion of switching based on said instance; And

In a period of time, send packet to said previous network and said new network; Thereby avoid when the data-bag lost of said mobile node when said new network is got back to said previous network; Said pre-authentication framework comprises; Before said mobile node was from said first network mobile to said second network, said mobile node and said second network carried out pre-authentication.

16. method according to claim 15, wherein, the step of said transmission packet comprises the said packet of multicast.

17. method according to claim 15, wherein, said previous network is to first medium; And said new network is to different media; Wherein, said first medium is a cellular network, and said different medium is a WLAN; Perhaps said first medium is a WLAN, and said different medium is a cellular network.